JDK-8239925 : TLS 1.3 session uses up 2 entries in SSL session cache
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 11
  • Priority: P3
  • Status: Closed
  • Resolution: Duplicate
  • Submitted: 2020-02-23
  • Updated: 2020-08-05
  • Resolved: 2020-08-05
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 16
16Resolved
Related Reports
Duplicate :  
JDK-8245576 - Distributed TLS sessions implementation
Description
A DESCRIPTION OF THE PROBLEM :
When a new client connects to a Java server using TLS 1.3, 2 entries are created in SSL session cache; as a result the default session cache can only cache sessions for half the clients.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Start a TLS 1.3 server; connect to that server using any TLS 1.3 client; count entries in SSL session cache

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Expected to find one entry in session cache
ACTUAL -
Found 2 entries in session cache

---------- BEGIN SOURCE ----------
package com.company;

import javax.net.ssl.*;
import java.io.ByteArrayInputStream;
import java.io.OutputStream;
import java.nio.charset.StandardCharsets;
import java.security.KeyStore;
import java.util.Base64;
import java.util.Enumeration;

public class MinimalServer {
    private static String SelfSignedP12 =
            "MIIEVwIBAzCCBBAGCSqGSIb3DQEHAaCCBAEEggP9MIID+TCCAQUGCSqGSIb3DQEHAaCB9wSB9DCB8TCB" +
            "7gYLKoZIhvcNAQwKAQKggYgwgYUwKQYKKoZIhvcNAQwBAzAbBBTs1k2eXy198HtbbK7Hlxl2KO8FJQID" +
            "AMNQBFhc3G89/a31MBNYtgAeNUWw/8QMBE7O0HAdYiaWZEF5Iuq+7nH0RdQjiG58rGH+x2bT6aUaIv5s" +
            "GqCwzz8pUI2usBtjUsz2/EOWVEM1a7YPNs/aiktQprTsMVQwLwYJKoZIhvcNAQkUMSIeIAB0AGUAcwB0" +
            "ACAAYwBlAHIAdABpAGYAaQBjAGEAdABlMCEGCSqGSIb3DQEJFTEUBBJUaW1lIDE1MzAyNzYwMDIxMTUw" +
            "ggLsBgkqhkiG9w0BBwagggLdMIIC2QIBADCCAtIGCSqGSIb3DQEHATApBgoqhkiG9w0BDAEGMBsEFGop" +
            "U5AyxcnCeLd9CRH64BbhM3K6AgMAw1CAggKY5YOXqPL3v1n6Q7m6XXK32ifjdyD+P7mR5roL6IRqb5sn" +
            "iwlCUEoPaKYnWb9zGqISjVV+sTMRV1AV6NVl0MaGqZooYbqNuLdOLQRBX8s2kkRQpnlLJbXwAtGReN/v" +
            "sQkfmSWQH1vkpNRD6lBL10wbVa3FXLTwXiyWSNHooKZuqiA3YYRLPKcSKvGePDbH96Lv2xn8tXX8R4DS" +
            "AXMF5+p7e1YxfnrI0j/2EvZ1iy5S5aNuuHVQLdkhzBQ/xepYNhQ6B9PR3wTLNaAN0y5DpMwBwtRaEE5x" +
            "sya8BxoKylppudksck1VSYDJ8uL9YRFce2Jpcu49rChnxJbtsZNrXdOJ4I9gAyeEzCcwpFnFlFtNzlk0" +
            "kq5HPI7aFJuRZAIeQZdexdAIuX/I99hbCTgoILPLBbdnZpD0FMf4QiO7zax+PB8jilzmGZNprdjXTrgB" +
            "gDY1lKNOD9csdSYf7OZtIqtL/ItXRS8+vwkXsVBy+cHV4Lm5F6WcHbuCijHgO9I/i11/dLMgWnec5s9f" +
            "JgobI7LtHyWVUMuQHpICeeXaTRdjvnS0SpDZ4hhnJazyvnOp/XcLqDuGhabftINHPo3WqGMziLDQJ/bm" +
            "RlekI51RSTElGx3iNkmcvTeFZkpmtRTBBRRNabcEwxY7QdQ+BBYoDZj6PQEhQlgHvOzeHxUO0MoQMnOY" +
            "OzvsVrdOLuPdePwulzdBZPT0/TKaQurW6mYVn0P6NC30lFn62cX7hNo4IgkiK9QEkGZAGpRQ+colTseO" +
            "OaarAMiy96Mqyhr75KmVkHthoJRx1uom+41YoxRo84giZCtaQ14pXED6ZsbSh2ermNPPvzZj2A71d5w/" +
            "VGlKupkumgwCqAcpZoJlilp3MWIuVrPKcPQJRL229jA+MCEwCQYFKw4DAhoFAAQUAjR++XKs2CpyQnWd" +
            "JbAC0TdIj6wEFK8VOoYBedkzXBQQn9F2nA/lQrJhAgMBhqA=";

    private static String SelfSignedPW = "";

    public static void main(String[] args) throws Exception {
        KeyStore keyStore = KeyStore.getInstance("PKCS12");
        keyStore.load(new ByteArrayInputStream(Base64.getDecoder().decode(SelfSignedP12)), SelfSignedPW.toCharArray());

        SSLContext context = SSLContext.getInstance("TLS");

        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        keyManagerFactory.init(keyStore, SelfSignedPW.toCharArray());
        context.init(keyManagerFactory.getKeyManagers(), null, null);

        SSLSessionContext serverContext = context.getServerSessionContext();
        serverContext.setSessionCacheSize(5);

        SSLServerSocketFactory factory = context.getServerSocketFactory();
        SSLServerSocket socket = (SSLServerSocket) factory.createServerSocket(8443);
        while (true) {

            System.out.println("Wait for connection...");

            try (SSLSocket client = (SSLSocket) socket.accept(); OutputStream os = client.getOutputStream()) {
                System.out.println("Connection from " + client.getRemoteSocketAddress());
                os.write(("I am Java version: " + System.getProperty("java.version") + "\n").getBytes(StandardCharsets.UTF_8));
                os.flush();
                System.out.println("Closing connection...");
                System.out.println("Current cache size: " + countEnumeration(serverContext.getIds()));
            } catch (Exception e) {
                e.printStackTrace();
            }
        }
    }

    private static int countEnumeration(Enumeration<byte[]> ids) {
        int count = 0;
        while (ids.hasMoreElements()) {
            ids.nextElement();
            count++;
        }
        return count;
    }
}
---------- END SOURCE ----------

FREQUENCY : always
Comments
The summary of the observations on Windows 10: JDK 8u241: Pass, cache size are 1 and 2 JDK 11ea: Fail, cache sizes are 2 and 2 JDK 11.0.7: Fail, cache size are 2 and 4 JDK 14.0.1: Fail, cache size are 0 and 0 JDK 15ea: Fail, cache sizes are 0 and 0 ILW=MMH=P3
02-03-2020
It looks more like an enhancement. Currently, the session renew ticket is cached as a session. We could make an improvement for performance. For now, the stateless feature could be considered.
28-02-2020
The observation on Windows 10 with JDK 14.0.1 using a browser to connect to https://localhost:8443 C:\jdk-14.0.1\bin\java MinimalServer Wait for connection... Connection from /127.0.0.1:50941 Closing connection... Current cache size: 0 Wait for connection... Connection from /127.0.0.1:50942 Closing connection... Current cache size: 0
24-02-2020
The observation on Windows 10 with JDK 8u241 using a browser to connect to https://localhost:8443 C:\jdk1.8.0_241\bin\java MinimalServer Wait for connection... Connection from /127.0.0.1:50905 Closing connection... Current cache size: 1 Wait for connection... Connection from /127.0.0.1:50906 Closing connection... Current cache size: 2
24-02-2020
The observation on Windows 10 with JDK 15ea using a browser to connect to https://localhost:8443 C:\jdk-15\bin\java MinimalServer Wait for connection... Connection from /127.0.0.1:50891 Closing connection... Current cache size: 0 Wait for connection... Connection from /127.0.0.1:50892 Closing connection... Current cache size: 0 Wait for connection...
24-02-2020
The observation on Windows 10 with JDK 11.0.7 using a browser to connect to https://localhost:8443 The output of server console: C:\jdk-11.0.7\bin\java MinimalServer Wait for connection... Connection from /127.0.0.1:50072 Closing connection... Current cache size: 2 Wait for connection... Connection from /127.0.0.1:50073 Closing connection... Current cache size: 4 Wait for connection...
24-02-2020